Option 1: The security lead can specify and verify, but not manage protection activities
Option 2: The security lead can manage protection activities, but not specify or verify
Option 3: The security lead can mix combinations of management and specification and verification, but not for the same item.
IF the enterprise is small AND maturity level is Initial or less, THEN The security lead can manage/perform protection activities, but not specify or verify,
OTHERWISE IF maturity level is Repeatable or lower, THEN The security lead can specify and verify, but not manage/perform protection activities,
OTHERWISE IF maturity level is Managed or greater, THEN The security lead can specify and verify, but not manage/perform protection activities, OR The security lead can mix combinations of management/performance and specification and verification, but not for the same item.
OTHERWISE the Defined maturity level documentation should specify the roles of the security lead in this regard.
The following assignment sets are typical of options 1, 2, or 3, with contact identified for options 1, 2, and 3 in that order only:
|Business||Policy||1||23||1||AB, BC, BC|
|Business||Control Standards||1||23||1||AB, BC, BC|
|Business||Procedures||13||2||13||AB, BC, BC|
|Business||HR||13||2||13||AB, BC, BC|
|Business||Legal||13||2||13||AB, BC, AB|
|Business||Risk Management||1||23||1||AB, BC, AB|
|Operations||Testing||13||2||13||AB, BC, AB|
|Operations||Change Control||13||2||13||AB, BC, AB|
|Operations||Physical technical safeguards||13||2||13||AB, BC, AB|
|Operations||Logical technical safeguards||13||2||13||AB, BC, AB|
|Operations||Incident handling||13||2||13||AB, BC, AB|
|Assurance||Audit||1||23||1||AB, BC, BC|
|Assurance||Knowledge||1||23||1||AB, BC, AB|
|Assurance||Awareness||1||23||1||AB, BC, AB|
|Assurance||Documentation||1||23||1||AB, BC, AB|
Fill in the following table detailing alternatives for Specifying (S), Performing (P), and Verifying (V) systems for Low, Medium, and High risk systems following the rules here:
IF Risk is Low,
THEN The security lead can specify, perform, and verify the same element. (SPV)
IF Risk is Medium,
THEN The security lead can specify and verify OR perform the same element, but not both. (SV) OR (P)
IF Risk is High, THEN
|Operations||Physical technical safeguards||.||.||.|
|Operations||Logical technical safeguards||.||.||.|
In many large enterprises, the IP Lead performs executive functions in specification and verification of the protection program but does not directly manage/perform any execution of protection functions. This is done by operations under the CIO.
The IP Lead can manage/perform protection activities, but not specify or verify
When the IP Lead works for the CIO, they are often put in a position of operating the protection program instead of specifying and verifying it. This generally means that the IP Lead is in too low a position for the job to get properly done, however; in smaller enterprises or immature ones, this may be the best solution to getting the most knowledge to the protection program.
The IP Lead can mix combinations of management/performance and specification and verification, but not for the same item.
In some more mature enterprises, the IP Lead manages many elements of the business functions and assurance processes and only specifies and verify the operational aspects run by the IP Lead.
The IP Lead has direct peer-to-peer contact with the heads of the area of the enterprise.
The IP Lead should generally have peer-to-peer relationships with those in charge of each area involved in information protection. If this is not in place, it create failures in the protection program that ultimately result in large-scale protection failures. This is a heated political issue in many enterprises, as the CEO places the IP Lead under the CIO, and the CIO prevents the IP Lead from doing their job or communicating with other appropriate individuals required in order for the protection program to operate properly. The CEO or COO is responsible for such failures and they should act to mitigate the situation if it exists.
The IP Lead is a member of an executive security counsel including executives from the area.
In cases where the IP Lead operates part of the program by managing the direct execution of the functions, they should be a member of the executive level counsel that makes the decisions on how to specify the requirements and verifies proper operation. This is necessary in order to have the information required to get the job done effectively.
The roles of the IP Lead are limited by requirements for separation of duties. In particular, any one individual who specifies, performs, and verifies any particular activity is essentially able to subvert that activity in its entirety. For that reason, any activity that is important enough to assure should be assured with separation of duties. Indeed, as risk goes up, more separation is reasonably applied. Thus the decision is about how to separate the duties of the IP Lead.
Specify:The IP Lead can specify protection
Specifying an activity implies the ability to bound its scope and mandate its implementation. Generally, specifications are not so complete or perfect that they are implementable as is in performance.
Perform: The IP Lead can perform protection
Performing an activity implies that specific actions are taken. They are supposed to reflect the specification, but do not always precisely do so.
Verify: The IP Lead can verify protection
Verifying an activity implies determining whether and to what extent, the specification was properly performed or the performance properly varied from the specification. Hindsight is often touted as 20/20, but then history is often rewritten by the victors.